Den 02.10.2014 14:38, skrev Wietse Venema: > Per Thorsheim: >> Mozilla and others have reported on old web clients that doesn't support >> the use of new SHA-256 signed SSL certificates on websites. In a recent >> thread at Mozilla >> https://bugzilla.mozilla.org/show_bug.cgi?id=1064387#c6, there's a >> reference to Qualys: >> >> "At this time, a site could use two certificates: ECDSA+SHA256 for >> modern clients and RSA+SHA1 for older clients." >> https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know >> A feature supported by Apache at least. >> >> Is this something Postfix can do as well for STARTTLS support? > > You mean specify both certificates in the same file?
"If connecting client/server supports SHA-256 signed cert than use that from our side, else fallback to SHA-1 certificate from our side, with fallback to plaintext as last resort." I presume support for TLSv1.1 and TLSv1.2 increases the chances of SHA-256 certificates being supported as well, but I don't know yet. I would hate to see use of #starttls dropped because mailservers doesn't support SHA-256 signed certificates. BR, Per
